This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TOR Detection

1

Hello.

Is there any way to determine from a basic Wireshaark trace if a TOR browser is being used?

There's the tell-tale signs of TCP and TLSv1 use, along with port 9001 and 9030.

But having completed some tests - I've discovered this only worked once over 10 tests!!

Any help would be appreciated.

asked 13 Aug '12, 09:30

DustinCook's gravatar image

DustinCook
21225
accept rate: 0%

One Answer:

1

There's the tell-tale signs of TCP and TLSv1 use, along with port 9001 and 9030.

Port 9030 is the directory server port. The client gets the list of nodes from the directory servers, if it does not have that list stored locally. So, you will see that traffic only, if the client was started for the first time, or after a long time.

Port 9001 is the default Tor Port, but many Nodes run on port 443 (or any other port). That is configurable. So, you will only see traffic on this port, if your clients talk to a Tor node with the default port settings.

But having completed some tests - I've discovered this only worked once over 10 tests!!

see above.

The best sign for Tor traffic is this:

  • Look at the certificates. The Tor nodes will present a cert with a "random" name, like these:

    www.wgmyv7mbm6phnpq.net
    www.istzu7bz6fzy2y7if.com

  • Check the Lifetime of the cert. Tor certs are often valid for one year, starting with the current day (weak criteria).

notBefore: utcTime (0) utcTime: 12-08-14 07:51:17 (UTC)
notAfter: utcTime (0) utcTime: 13-08-14 07:51:17 (UTC)

Using tshark, you can find this information as follows:

tshark -r tor_traffic.cap -T fields -R "ssl.handshake.certificate" -e x509af.utcTime -e x509s at.printableString

Sample output

12-08-14 09:02:40 (UTC),13-08-14 09:02:40 (UTC) www.esvo7ripgfcpkpbhl.com,www.j6l4qj5dfvjlkxya.net
12-08-14 09:14:08 (UTC),13-08-14 09:14:08 (UTC) www.voej7w7i5wqhd.com,www.nhbrobe2u5.net
12-08-14 08:08:27 (UTC),13-08-14 08:08:27 (UTC) www.fgzxrfhrgo.net,www.too3xofkwpprvxix.net
12-08-14 07:38:26 (UTC),13-08-14 07:38:26 (UTC) www.3fcvwc4udn7mwj.net,www.iwajitj5g.net
12-08-14 08:36:16 (UTC),13-08-14 08:36:16 (UTC) www.gf2afmvv3jl6dg.net,www.lvdvho3yglfu6.net
12-08-14 08:48:34 (UTC),13-08-14 08:48:34 (UTC) www.gyk2lv67szubbg4ilq.com,www.ujasp2f6.net
12-08-14 09:00:19 (UTC),13-08-14 09:00:19 (UTC) www.b3dthjkqi6py.com,www.qi5itnnxft3l.net
12-08-14 07:40:36 (UTC),13-08-14 07:40:36 (UTC) www.cwrtpgdwvfo.com,www.b2h4tpc5fxaq4l.net
12-08-14 07:45:00 (UTC),13-08-14 07:45:00 (UTC) www.swxvuwbkux5ws.com,www.vlrzxyc7lyjcjqxv.net
12-08-14 08:03:23 (UTC),13-08-14 08:03:23 (UTC) www.vxlyzz7hhbo7reiwg.com,www.tq2bi77acv.net
12-08-14 08:01:07 (UTC),13-08-14 08:01:07 (UTC) www.5syfc6b7xph5.com,www.lqr4alfcyz.net
12-08-14 07:51:17 (UTC),13-08-14 07:51:17 (UTC) www.istzu7bz6fzy2y7if.com,www.wgmyv7mbm6phnpq.net
12-08-14 08:12:22 (UTC),13-08-14 08:12:22 (UTC) www.hrz7noiicfhnnr3w3s.com,www.gixyoknsh7udrxu.net

Now, use a script to check the cert lifetime (1 year, start: today) and the structure of the cert names (more or less random).

HINT: If the Tor node runs on a port that is not dissected as SSL/TLS, you need to add the port to the SSL properties, otherwise you won't see the cert and the lifetime!

Regards
Kurt

answered 14 Aug '12, 03:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%